5 Things You Don’t Know Because You Weren’t At CU InfoSecurity 2013

Around 50 credit union IT executives filled the meeting room at the Platinum Hotel in Las Vegas and, over three days last week, they heard from speaker after speaker with new warnings, fresh approaches to helping employees dodge phishing attacks, and above all, better ways to protect the data that are the lifeblood of any financial institution.

Face it: the era of the crook with a mask and a gun robbing a financial institution is fast disappearing. Value today is in data and it’s the data that are under relentless assault by ever smarter crooks.

Credit unions in attendance at the conference were large – the $1.2 billion MECU of Baltimore – and others were small – the $108 million GeoVista CU in Hinesville, Ga. – and still others were mid-sized such as the $448 million Air Academy FCU from Colorado Springs, Colo.

They came because, as one executive explained, “we want to hear what’s new, what we should be recommending to our CEO and the board.”

Bottom line: information security is a dynamically changing landscape and that, fundamentally, is what brought the IT executives to the conference.

Speakers rewarded them with valuable insights. Here's a look at five.

* You can’t count on the regulator for an information security prescription. That was the chilling warning from Jim Brahm, CEO of Security Compliance Associates, who said that information security regulations and advice from federal regulators typically have been “vague” and inconclusive. “They usually are non-specific,” said Brahm.

He added: “There is a lot of inconsistency in information security regulation and how it is enforced.”

“We see big differences in what examiners say from state to state.”

He added that “we see very little focus on information security in most credit unions, especially those with under $1 billion in assets.”

“As a credit union gets larger – over $1 billion – there is usually more focus by the regulator.”

Brahm’s takeaway message: credit unions cannot rely on regulators to offer a blueprint for what needs to be done to secure information. They need to arrive at that by dint of their own hard work and study of best practices.

Next: Real Suspicious, Right Now

* Get alerts to suspicious activity in real time, urged Kevin Nikkhoo, CEO of CloudAccess, a security-as-a-service startup.

Getting them later could be catastrophic.

Even when the activity occurs at 3 a.m. on a Saturday.

And respond in real time – then adjust controls and access as needed.

This is because the belief is spreading among security experts that it may no longer be possible to fully protect data with a firewall and password authentication – that is, breaches may and perhaps will occur.

And a big step towards minimizing harmful consequences, urged Nikkhoo, is round-the-clock monitoring, frequently done in association with a third-party vendor. Nikkhoo added: “Continuously monitor, alert and report on system and authentication events.”

Nikkhoo also advised: “Restrict access to data by business need to know.”

That’s because in too many credit unions too many people can broadly and freely roam through member data – often without even leaving an auditable trail.

Key questions that need answers, said Nikkhoo, are who is logging in, what are they accessing, and how does this affect security?

Next: All In, Including the Boss

* You can’t count on the credit union CEO. Twice, in just the past year, Bruce Smalley, a vice president at ACI Defense, said that his company found credit unions that had suffered malware infections because their CEO was exempt from safe browsing restrictions that just about every other employee had to abide by when using workplace computers.

Smalley is a big advocate of “restrictive browsing policies” but, he stressed, the policies to be most effective need to be applied to every employee. Including the boss.

Next: Protect Data, Not Devices

* Protect data, not devices. That was a central message from David Applebaum, a senior executive with Moka5, a Silicon Valley data security firm.

The Moka5 message: it just is not possible to reliably protect every device on the network (not in an era of BYOD), so Moka5’s approach is to put sensitive data and applications in a protected virtual container that is easily downloaded to any device, via a centralized management system.

The container itself – essentially a segregated, walled workspace – is designed to be impermeable to threats that might be aimed at the device.

Is this containerization approach the only way to keep data safe in a world of multiplying threats? Hardly. But know that Moka5 and others now are racing to innovate ways to keep data safe regardless of the devices and of the nature and volume of threats.

Next: Let's Get Together

* Make the member part of the solution. Too often, said Jay McLaughlin, an executive with Q2ebanking, members are viewed as part of the problem - but the smarter approach is to enlist them into helpmates in solving the problem.

How? Encourage them to sign up for account activity alerts – and recognize that the majority of cases of theft are first detected by the account holders.

Persuade them to enroll in two-factor authentication, too, suggested McLaughlin.

Make members more informed – and keep them informed – and, said McLaughlin, those are big steps to a safer, more secure banking environment.